如何在Chrome打包的应用中设置script-src? [英] How to set script-src in a Chrome packaged app?

问题描述

我正在尝试从复杂的网络应用程序创建Chrome打包的应用程序.我目前收到错误消息:

I'm trying to create a Chrome packaged app from a complicated web app. I'm currently getting the error:

拒绝执行内联事件处理程序，因为它违反了 以下内容安全策略指令:"default-src'self' chrome-extension-resource:.请注意，"script-src"未明确显示 设置，因此将"default-src"用作后备广告.

Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

如何在manifest.json中显式设置策略?我已经尝试过类似的事情:

How do I explicitly set the policy in my manifest.json? I've tried things like:

"content_security_policy": "default-src 'inline'; script-src 'inline'"

，但我仍然收到相同的错误消息.我的语法错误吗?还是该错误是红色鲱鱼?

but I still get the same error message. Is my syntax wrong, or is the error a red herring?

推荐答案

您无法在打包的应用中放松默认的CSP.如果您正在执行类似<button id="foo" onclick="doSomething()">的操作，那么您应该在HTML中包含一个单独的JS文件，在您的onload处理程序中执行document.querySelector("#foo").onclick = doSomething;.这将符合CSP，并使您的应用更能抵抗XSS攻击.

You can't loosen the default CSP in a packaged app. If you're doing something like <button id="foo" onclick="doSomething()"> then you should instead include a separate JS file in the HTML where you do a document.querySelector("#foo").onclick = doSomething; in your onload handler. This will comply with CSP and make your app more resistant to XSS attacks.

这篇关于如何在Chrome打包的应用中设置script-src?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！